0

We are using apache geode v1.6.0 and we also use Geode rest api. However, when our customer do vulnerability test, they found a potential security risk and we need to fix that..

The report says, http://:7070 shows the following message

HTTP ERROR 404
Problem accessing /. Reason:

    Not Found
**Powered by Jetty:// 9.4.8.v20171121**

As you can see, Jetty version was shown, and this is reported as a risk. I searched a lot and found we can turn off the message by configure Jetty setting as follows

<Item>
 <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
     <Set name="showContexts">false</Set>
 </New>
</Item>

But, Jetty is embedded in the Geode, how should I do to set the showContexts to false?

Any suggestion will be appreciate, thanks a lot.

andy
  • 1

1 Answers1

0

The Embedded Jetty Server is started and configured in Geode through the InternalHttpService class, and this internal class doesn't provide any feature to manually configure the actual server properties or settings. The showContexts property within the DefaultHandler class, on the other hand, can't be configured through environment variables (which could be used as a workaround), it can only be configured through xml files (not used within Geode) or programatically.

Long story short: I don't think there's an out of the box way to disable the DefaultHandler as of now in Geode, I'd suggest to open a ticket through the Geode JIRA System and describe with details the actual issue and impact. The actual fix shouldn't be hard to implement on your own, though: just register a custom ErrorHandler or programatically set the showContexts property to false within the DefaultHandler instead, so you could submit a PR fixing the problem to get it merged into the Geode.

Juan Ramos
  • 1,421
  • 1
  • 8
  • 13
  • Thanks for your elaboration. I tried to fix this issue on my own, but failed to build the project. I will open a ticket on Geode JIRA, thanks for help. – andy Sep 25 '20 at 05:37